3d4a87e6b7fe5d3db1c87e1e00a9799afdf0e5a2ebc420b6aa938443fbe87480

Analysis

max time kernel
1644s
max time network
1709s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
05-07-2023 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

INVOICE - SAETHER_20230704.html
Size

2KB
MD5

3a56e44f3d0f60a869ca738ed44fb51f
SHA1

a2a824efe9dabddbad879d97dfbffdc05fd6b7dd
SHA256

3d4a87e6b7fe5d3db1c87e1e00a9799afdf0e5a2ebc420b6aa938443fbe87480
SHA512

2a50318add30262fcc3de83dc58c62c63edba3e4d2e7be7480b92acf820ddbd640663bcd663db5e2665e9431ba60198dcd2b1777a289e2cae0d49d5ddcff680b

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe
Token: SeShutdownPrivilege	1184	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe
1184	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 1708	1184	chrome.exe	29
PID 1184 wrote to memory of 1708	1184	chrome.exe	29
PID 1184 wrote to memory of 1708	1184	chrome.exe	29
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2196	1184	chrome.exe	31
PID 1184 wrote to memory of 2188	1184	chrome.exe	32
PID 1184 wrote to memory of 2188	1184	chrome.exe	32
PID 1184 wrote to memory of 2188	1184	chrome.exe	32
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33
PID 1184 wrote to memory of 2388	1184	chrome.exe	33

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" "C:\Users\Admin\AppData\Local\Temp\INVOICE - SAETHER_20230704.html"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6899758,0x7fef6899768,0x7fef6899778
  2⤵
  PID:1708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1156 --field-trial-handle=1224,i,12310865224372714119,1272369406224851730,131072 /prefetch:2
  2⤵
  PID:2196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1224,i,12310865224372714119,1272369406224851730,131072 /prefetch:8
  2⤵
  PID:2188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1224,i,12310865224372714119,1272369406224851730,131072 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2152 --field-trial-handle=1224,i,12310865224372714119,1272369406224851730,131072 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2160 --field-trial-handle=1224,i,12310865224372714119,1272369406224851730,131072 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1256 --field-trial-handle=1224,i,12310865224372714119,1272369406224851730,131072 /prefetch:2
  2⤵
  PID:1784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1068 --field-trial-handle=1224,i,12310865224372714119,1272369406224851730,131072 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=728 --field-trial-handle=1224,i,12310865224372714119,1272369406224851730,131072 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3596 --field-trial-handle=1224,i,12310865224372714119,1272369406224851730,131072 /prefetch:1
  2⤵
  PID:2464

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1124

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
756349035321841b0c4abd575bb1c02c

SHA1
2fa27d3d30af5d34962bef7cd46b29b272f6e749

SHA256
54a914373492509cf9fea6122d6502c51928939f6ed0ad202140b6b6a1d6f2f9

SHA512
6d54930ef9ec4f3d8519dd78691e1d56cf90101548072bf36efc3d134b5aa92057bd3e44d02612c6762d34cd1e1bc28fc9a47a469f75490909fa80c5ad8620c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6e1a65.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
54c651bbe658dac74d6d29b81c91592f

SHA1
79466088da60aaa6eb382433b251b7f092e9dcc0

SHA256
b9afe23f24feba2ec049efe0e6a80da9d4e68230d3b2978bd06200ef8c4850e3

SHA512
40f0b80a6dd0cc8de87825f09a019704e3c6522af5f1b35d181baa1ba87a243d6c26ff57146bb6ad729897f5ae08b6aabe8d2037699369aeab4024009b223b44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
ef37f42edb20e8ac3a1a89949286973f

SHA1
eb5d82ba3ef4a1f746aa775711ccb6a1bc27b1e0

SHA256
e3e7aa93356f2b4bcd0e86daa259ce3f7b99d1c417d34e9f17959e23b8cc3392

SHA512
b34acb2e33aaa6d6239bad4939bb0e748562c7e68f963c5992e6c883b4d0184134e88fd2be3d68081964e887d1d1803d1d51172e9a743469bea40d1966c2cb1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
87657993c9b8f2c5a3cdbed90126fa26

SHA1
2e82cffb5617c1e107095f5caaf298bb6a75c3eb

SHA256
fce530f4da17ca68842f4e77512fb97523357171adcbb71472451f3e318264fb

SHA512
df19c3c6c3cfe2321ebcc10912d88575a5f481cde27840f409cfc89c9016dfecf15fff6361d3447e8fda79240fb275a757e3812fb86c8e40a332bf4c199ac9b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab347B.tmp

Filesize
62KB

MD5
3ac860860707baaf32469fa7cc7c0192

SHA1
c33c2acdaba0e6fa41fd2f00f186804722477639

SHA256
d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

SHA512
d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3559.tmp

Filesize
164KB

MD5
4ff65ad929cd9a367680e0e5b1c08166

SHA1
c0af0d4396bd1f15c45f39d3b849ba444233b3a2

SHA256
c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6

SHA512
f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

Download Submit